The news that, according to the national security review at least, cyber attack comes second only to terrorism as the gravest security threat facing the nation will have come as a great surprise to most citizens. We are conscious of the annoyances of malware, viruses, worms, spam and phishing, but for most these are just minor irritations, not threats to the nation’s survival.
Yet the other day we had the foreign secretary gravely intoning why, in the midst of the most savage spending cuts in living memory, it is suddenly necessary to give an extra £500m to GCHQ to protect us against nemesis in cyberspace. At the same time, in America, we see the Pentagon setting up a whole new cyber command, USCybercom, with all the usual paraphernalia and awash with funding.
What, you might ask, is going on?
There seem to be two broad answers to the question. The cynical one is that this is just the latest development of the military-industrial complex that is the bane of industrialised economies. Changes in society and warfare patterns threaten the future prosperity of this colossal set of vested interests.
Aircraft carriers, missile systems and tanks are of little use against ragged-trousered terrorists and so a new and sinister threat has to be manufactured to ensure reliable cash-flow for BAE Systems & co into the next century. In which case, cyber security will do nicely.
And, say the cynics, the strategy is succeeding. According to the New Yorker journalist Seymour Hersh, the military-industrial complex in the US has morphed into “a military-cyber complex”. Hersh says that the US government spends between bn and bn annually for unclassified cyber-security work and about the same on the classified part.
The alternative explanation is that the threat really is more serious than many of us had supposed. The arrival of the Stuxnet worm was a salutary event because of its sophistication and the fact that it targeted a device that plays a critical role in innumerable industrial processes. Could it be that the threat truly has ratcheted up? Is there a real threat of “cyber warfare”? If so, what could be done about it?
At a seminar in Cambridge last week, Dr Herbert Lin of the National Academies of the USA gave a sobering overview of the challenges posed by conflict in cyberspace. The central problem is that, in the online domain, the attacker has most of the advantages. Passive defences (better firewalls, anti-virus precautions etc) can have some effect, but they’re never going to deter or prevent determined or sophisticated attacks.
So what does a nation do?
One answer is to seek lessons from the policy of nuclear deterrence. Many policy-makers see cyber deterrence as the only feasible policy in an offence-dominated domain. After all, we have lots of experience with nuclear deterrence and we know it worked. So maybe that’s the way to go?
Alas, no. As Dr Lin put it, while nuclear and cyber deterrence raise the same questions, the answers are different and much less satisfactory in the online case. Deterrence is a tool for dissuading an adversary from taking hostile action, but it depends on being able to identify the potential attacker. Nuclear deterrence worked for various reasons: only nation-states were potential adversaries; attacks would have been easy to detect and would have come from outside one’s territorial boundaries. It was possible to demonstrate that one possessed the capability for devastating retaliation and it would have been easy to determine when hostilities had ceased.
None of this applies in cyberspace. The resources to mount attacks are not the sole prerogative of nation-states. It may be difficult to distinguish an attack from incessant malware and cybercrime. Identifying the source of an attack can be problematic and an astute attacker might leave a false trail leading to a country that would regard massive retaliation as an act of war. There’s no obvious way of demonstrating a capability for retaliation. There’s no precedent for countries targeting nuclear strikes on companies. And there’s no obvious way of establishing that hostilities have definitively ceased.
The inescapable conclusion is that deterrence won’t work in cyberspace. We need a better idea. The £500m we’ve just donated to GCHQ suggests that it won’t come cheap.
guardian.co.uk © Guardian News & Media Limited 2010
John Gilmore, campaigner against internet censorship.
In the annals of the net, one of the sacred texts is John Gilmore’s aphorism that “the internet interprets censorship as damage and routes around it”. Mr Gilmore is a celebrated engineer, entrepreneur and libertarian activist, who is regarded by the US Department of Homeland Security, the National Security Agency and men in suits everywhere as a pain in the ass. He was the fifth employee of Sun Microsystems, which meant that he made a lot of money early in life, and he has devoted the rest of his time to spending it on a variety of excellent causes. These include: creating the “alt” (for alternative) hierarchy in the Usenet discussion fora; open-source software; drugs law reform; philanthropy; and the Electronic Frontier Foundation (which last week won a notable concession from the Library of Congress to legalise the “jailbreaking” of one’s iPhone – ie liberating it from Apple’s technical shackles).
The Gilmore aphorism about censorship first saw the light of day in 1993 – in a Time article about the internet – and since then has taken on a life of its own as a consoling mantra about the libertarian potential of the network. “In its original form,” Gilmore explains, “it meant that the Usenet software (which moves messages around in discussion newsgroups) was resistant to censorship because, if a node drops certain messages because it doesn’t like their subject, the messages find their way past that node anyway by some other route.” But, he continues, “The meaning of the phrase has grown through the years. Internet users have proven it time after time, by personally and publicly replicating information that is threatened with destruction or censorship.”
The aphorism came up a lot last week following publication by the Guardian, the New York Times and Der Spiegel of extensive reports based on the stash of classified US military reports published on the WikiLeaks website. And of course in one sense this latest publishing coup does appear to confirm Gilmore’s original insight. But at the same time it grossly underestimates the amount of determination and technical ingenuity needed to make sure that the aphorism continues to hold good.
The sad truth is that, in practice, it is now trivially easy to censor the web. In most jurisdictions all you need to do is pay a lawyer to send a threatening letter to the ISP that hosts an offending site. The letter can allege defamation, or copyright infringement or privacy violations or a host of other grounds. The details usually don’t matter because, nine times out of 10, the ISP will immediately shut down the site, often without bothering to check whether your complaints have any validity. The reason: a legal precedent set by the so-called “demon internet” case, which established that an ISP may be held liable for damages if it fails to act on a complaint. Most companies won’t want to take the risk, so they pull the plug. QED.
So if the WikiLeaks operation depended on simply putting stuff on a website, then the governments and corporations who feel threatened by its exposures would have easily wiped it out years ago. Its durability is a product not just of the commitment of the activists behind it, but also of a sophisticated technical infrastructure which uses cryptography to ensure that every node in its virtual pipeline except the final, public, site is virtually impossible to identify.
At the heart of this is Tor, an open-source implementation of a networking technology which uses cryptography to pass data from router (internet node) to router in such a way that the identity of each is hidden. (The technology is derived from an earlier, multi-layered approach known as “the onion router” – hence the acronym.) As luck would have it, Tor is also a technology routinely used by governments to pass secret information around, so there’s a nicely ironic side to WikiLeaks’ deployment of it.
Tor provides a way of publishing information so that it’s extremely difficult to trace content to a particular internet address. This is good news for WikiLeaks geeks, but less so for the average whistleblower because it requires a level of technical expertise most people don’t possess. Which is why most whistleblowers will have to rely on the old-fashioned approach of putting stuff on lots of websites and social networks in the hope that it will be widely replicated. This may ensure that John Gilmore’s aphorism continues to hold. But it will also mean that the whistleblowers’ identities will be exposed. So if you have anything to reveal, try sending it to WikiLeaks first.
guardian.co.uk © Guardian News & Media Limited 2010